Integrity

Integrity refers to the process of preserving the accuracy and completeness of data over its entire lifecycle so that it cannot be modified in an unauthorized or undetected manner. This modification can happen maliciously (e.g., by an intermediary in the network) or inadvertently (e.g., because of a software or hardware failure).

Achieving integrity#

Note: We have discussed in the previous chapter some techniques that can protect against accidental modifications, such as checksums and cyclic redundancy checks, so here we will focus on malicious modification that is more relevant in the context of security.

Hash value#

A simple approach to protect the integrity of data is to calculate the hash value for a piece of data and send both the data and the hash, as shown in the following illustration:

Created with Fabric.js 3.6.6
A system where there is a sender, a receiver, and the communication network

1 of 9

Created with Fabric.js 3.6.6
Sender has some data in plaintext

2 of 9

Created with Fabric.js 3.6.6
Sender calculates the hash of the data using the hash function

3 of 9

Created with Fabric.js 3.6.6
Sender puts the data and the corresponding hash in a message and sends the message on the network

4 of 9

Created with Fabric.js 3.6.6
The message is forwarded to the receiver

5 of 9

Created with Fabric.js 3.6.6
Receiver receives the message

6 of 9

Created with Fabric.js 3.6.6
Receives calculates the hash of the data in the message using the hash function

7 of 9

Created with Fabric.js 3.6.6
Receiver compares the hash of data it calculated locally with the stored hash in the message

8 of 9

Created with Fabric.js 3.6.6
Receiver keeps the message because the hash values match as the data was not modified by any malicious entity in the network

9 of 9

Any malicious entity could modify the data, but we can detect some malicious entity attacks if that malicious entity could not figure out the correct hash function, as shown in the following illustration.

Created with Fabric.js 3.6.6
A system where there is a sender, a receiver, and the communication network

1 of 10

Created with Fabric.js 3.6.6
Sender has some data in plaintext

2 of 10

Created with Fabric.js 3.6.6
Sender calculates the hash of the data using the hash function

3 of 10

Created with Fabric.js 3.6.6
Sender puts the data and the corresponding hash in a message and sends the message on the network

4 of 10

Created with Fabric.js 3.6.6
A malicious entity enters the network

5 of 10

Created with Fabric.js 3.6.6
Malicious entity updates the data in the message, that is forwarded to the receiver

6 of 10

Created with Fabric.js 3.6.6
Receiver receives the message

7 of 10

Created with Fabric.js 3.6.6
Receives calculates the hash of the data in the message using the hash function

8 of 10

Created with Fabric.js 3.6.6
Receiver compares the hash of data it calculated locally with the stored hash in the message

9 of 10

Created with Fabric.js 3.6.6
Receiver rejects the message because the hash values mismatch as the data was modified by the malicious entity in the network

10 of 10

However, this approach suffers from an obvious problem:

  • Suppose if we send the hash alongside the data, any malicious actor that can modify the data might be able to figure out the hash function used and adjust the hash accordingly. As a result we would be unable to detect the modified data.

Consequently, we usually need a combination of integrity and authentication, i.e., be certain that the hash corresponds to the data and that the sender has calculated the hash and not someone else.

We can achieve this with similar techniques to the ones described previously. Following are some techniques that provide both integrity and authentication.

Techniques that provide both integrity and authentication#

We will consider two techniques for ensuring integrity and authentication.

Message authentication codes#

Message authentication codes make use of a shared secret key in order to generate a tag for a message that can then be verified against the data using the shared key. It is shown in the following illustration.

Created with Fabric.js 3.6.6
Sender requests the Key generator to generate a secret key

1 of 7

Created with Fabric.js 3.6.6
There is a Sender, a Receiver, and a communication Network in a communication system

2 of 7

Created with Fabric.js 3.6.6
Sender has a message, ands wants to send this message to the Receiver

3 of 7

Created with Fabric.js 3.6.6
On the Sender side, message is first sent for creating the tag against the message

4 of 7

Created with Fabric.js 3.6.6
Sender generates a tag for the message using a shared secret key, the tagged message is then sent over the network

5 of 7

Created with Fabric.js 3.6.6
On the Receiver side, the tag is first verified

6 of 7

Created with Fabric.js 3.6.6
Receiver verifies the tag against the message using the shared secret key, removes the tag, and keeps the message

7 of 7

This technique suffers from similar problems as symmetric encryption.

Digital signature#

Digital signatures use asymmetric cryptography, where an algorithm generates a public and a private key.

The private key is only known to the sender of the message, who can use it to sign a message producing a digital signature.

The recipients can then make use of the shared public key in order to verify that the digital signature is valid and was generated by the sender.

This is shown in the following illustration.

Created with Fabric.js 3.6.6
Sender requests the Key generator to generate a private and a public key

1 of 7

Created with Fabric.js 3.6.6
There is a Sender, a Receiver, and a communication Network in a communication system

2 of 7

Created with Fabric.js 3.6.6
Sender has a message, ands wants to send this message to the Receiver

3 of 7

Created with Fabric.js 3.6.6
On the Sender side, the message is first sent for sign

4 of 7

Created with Fabric.js 3.6.6
The sender uses the private key to produce the digital signature for the message , the signed message is then sent over the network

5 of 7

Created with Fabric.js 3.6.6
On the Receiver side, the digital signature is verified

6 of 7

Created with Fabric.js 3.6.6
Receiver verifies the digital signature using the public key, removes the signature, and keeps the message if the signature is valid

7 of 7

Similar to asymmetric encryption, digital signatures can be used to protect the integrity and authenticity of data transmitted through a network or stored in a system.

Confidentiality

A Cryptography Primer